Dreyfus

With more than one billion active users, Facebook is perpetually innovating to stay in the race. Faced with an increasingly diverse range of social networks, the social web giant must improve the user experience. The following months are going to witness the implementation of various features, each with its share of clear issues.

Whether Facebook is a private or public space has always been open to debate. However, for most analysts, Facebook remained, by default, a public social network, a far cry from its origins when it was restricted to a handful of students. Besides, the innovations of the last few years have only highlighted this fact. The Court of Appeal of Besançon had thus held that “in light of its purpose and organization, this network must necessarily be considered as a public space”. (Besançon, November 15, 2011, 10/02642). With Timeline and Social Graph, it became very easy to regroup information that members could have wrongly thought to be private.

But Facebook seems to have backtracked, as new members will eventually have their confidentiality settings set to private. This will likely allow the courts to clearly assert the private nature of Facebook, as held by the Court of Appeal of Rouen in two 2011 judgments: “it cannot be asserted with absolute certainty that current case law denies Facebook the status of a private space given that this network can either constitute a private space or a public space, depending on the settings chosen by its user”.

Furthermore, all services or websites that allow for connection through Facebook will now be trying out a connection method that is “anonymous.” According to the social network, this will make it possible “to try out an application without sharing one’s personal information stored on Facebook.”

While Facebook is showing an inclination to limit the sharing of data, the social network still wants to know more about its members. Driven by the success of Shazam, Facebook will be adding a new feature that will make it possible to identify a song listened to by a user, and then to share it. Not only will Facebook have an intimate knowledge of the profiles of its users, but it will also be able to identify the musical tastes of each of its members, by region, age group or sex. This of course raises the question as to the use that is made of these data, their destination, or even their real purpose. There is no doubt that the social network is very closely monitored by all competent authorities in that respect.

The social network furthermore wants to bring its members closer. Thus, if two users are “friends” on the website, they could easily question each other on their relationship status by clicking on “Ask”. According to the Financial Times, Facebook is also devising an alternative to the famous application Snapchat. This ephemeral message service raises many legal issues: right to the use of individuals’ and/or goods’ images, right to privacy or even the gathering and admissibility of evidence.

Faced with social networks like WeChat, which is extremely popular in China and which offers various services, Facebook is diversifying. Despite the progress made by the network with respect to privacy protection, there remains the tricky issue of the right to be digitally forgotten. First and foremost advocated by Alex Türk, previous President of the CNIL, it is according to the latter “the implementation of a natural function, the ability to forget, which makes life bearable”.

Dreyfus is specialized in the fight against infringements on social networks. Please contact us for more information.

Following the media coverage of its discovery in early April, the so-called Heartbleed flaw has been extensively written about. A major flaw, if any, Heartbleed is actually a coding error in the OpenSSL encryption software. The websites using OpenSSL are, or were for a few days, highly vulnerable to theft of data. Overwhelming for some, frightening for others, the flaw must be taken seriously in any event. The Heartbleed situation in four questions.

What is Heartbleed?

Heartbleed is neither a malware nor a virus. It is a flaw in the implementation of the OpenSSL security protocol. The latter is used to secure communication between two computers while protecting their identities. Heartbleed allows any internet user to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. It compromises the secret keys used to identify the service providers and to encrypt traffic as well as the names and passwords of users. It also allows hackers to eavesdrop on communications and to steal data directly from the servers.

The flaw of the OpenSSL lies in this tiny line of code:

memcpy (bp, pl, payload):

Mempcy is a command that copies data by overwriting previously copied data. But, with Heartbleed, the data is stored in the system as information to be overwritten, but it is not, and the flaw allows for this data to be stolen.

How significant is the flaw?

Heartbleed allows a maximum 64 Kb of data to be retrieved, which may seem to be an insignificant amount. However, this represents a significant amount of information in plain text (64,000 characters!). Together, data retrieved from all servers represent a colossal amount of information. In addition, “the number of attacks from hackers is unlimited” as stated by Fox-IT, a company specialised in IT security.

The identity of the hackers may be equally important. Thus, a few days after the discovery of the flaw, the National Security Agency (NSA) was accused of having exploited this flaw for almost two years to collect the maximum amount of data on Internet users. While the Edward Snowden commotion had started to settle, these accusations did not bode well for the U.S. agency.

Has the flaw been fixed?

The OpenSSL protocol was developed as open software. This allows its users to modify the source code, and to deal with flaws of this magnitude. For April, an organisation for the promotion of open software, the open nature of the code has “substantially lowered the impact of this flaw.” OpenSSL has been updated but this still does not solve all the problems, as the update must be installed on all vulnerable servers.

The most popular websites had already installed this update of the protocol before the media started reporting on the flaw. The servers are therefore no longer vulnerable to this flaw.

Nonetheless, mistakes can happen swiftly. Akamai Technologies, which manages almost 30 % of global traffic on its 147,000 servers, learnt it the hard way. For over 10 years, Akamai has been using a modified version of OpenSSL which provided “better security” against the Heartbleed flaw according to the Chief Technology Officer of the company. However, an independent researcher found “a code full of bugs and non-functional” in the patch provided by Akamai to its clients. The researcher believes that the update does not offer adequate protection against Heartbleed. This is particularly worrying given that Akamai’s clients are major banks, media groups and companies specialising in e-commerce.

However it is possible that other flaws will be revealed. Indeed, OpenSSL is crucial for websites that use it; however this project is far from being sustainable. Its developers are “desperately short of funds” according to the Research Manager of Sophos. The Wall Street Journal says that only four developers work on this project, only one of them on a full time basis.

What should users do?

For users, two steps are crucial to prevent personal information from being stolen. Firstly, it is essential to ensure that websites they use have updated their version of OpenSSL. This is already the case for most websites, including social networks and banks’, but checking is still important.

The second step is to change your passwords. This change must be put into practice after the OpenSSL has been updated, otherwise hackers may retrieve the new password.

Last but not least, in order to ensure protection of one’s information on the Internet, one should have different passwords. This is commonly known advice but unfortunately it not applied frequently enough. Yet, it is essential. Thus a unique and hard to guess password is good practice for sensitive websites such as banks’ websites. Passwords that are too simple such as “password” or “123456” are obviously prohibited, on any website.

On January 22, 2014, the U.S. District Court for the Northern District of California ruled on whether a takedown notice submitted to Facebook was in violation of the Digital Millennium Copyright Act (DMCA), a US statute enacted in 1998 to combat copyright violations.
CrossFit created a fitness training program and owns the trademark CROSSFIT. Jenni Alvies, without CrossFit’s consent, set up a blog “crossfitmamas.blogspot.com” and a Facebook page “CrossFit Mamas” on which workout routines and personal comments were posted. In addition, Alvies sold various products through her blog and was remunerated through Google AdWords ads.
After several exchanges, CrossFit sent a takedown notice to Facebook requesting the removal of the contents published on Alvies’ page on the grounds of a violation of the DMCA.
CrossFit eventually decided to sue Alvies before the Courts for trademark infringement. In response, Alvies argued that the DMCA only covers copyright infringements. Thus, by relying on the infringement of its trademark rights, CrossFit submitted an erroneous takedown notice to Facebook. CrossFit, on the other hand, argued that Facebook offers the option to submit notices based on either copyrights or trademark rights.
The District Court rejected CrossFit’s argument. Even though CrossFit did convince Facebook to remove Alvies’ page, the Court did not take this into consideration and highlighted the copyright violation by CrossFit. Besides, the Court found that Alvies, who received income through her Facebook page, would have suffered unreasonable damage due to the unlawful removal of the contents of her page.
Right owners must thus remain vigilant with regards to the wording of, and legal basis used in, takedown notices, to make sure they are not rejected.

The French Consumer Act, aka the Hamon Law (Act N˚ 2014-344 of March 17, 2014), will enter into force on June 13, 2014. It incorporates the provisions of the EU Directive on Consumer Rights of 2011 (Directive 2011/83/EU of October 25, 2011) which promotes e-commerce in the EU at national and cross-border level.
In order to comply with EU rules on consumer protection, e-merchants will need to provide more detailed information to consumers. This information obligation includes information on the obligation to pay, return costs, procedures to exercise the consumer’s withdrawal right and accepted modes of payment.
In the same vein, the Hamon law will bring in line with EU law the withdrawal and refund periods, which will be 14 days instead of 7 and the delivery period within the EU, which will be 30 days. The consumer will also have 30 days to make a request for cancellation of the sale based on non-delivery. Moreover, the Consumer Act prohibits contractual provisions which transfer the liability associated with the transport risk to the consumer.
Furthermore, the consumer’s consent will have to be obtained by opt-in; the consumer will compulsorily have to tick the boxes to notify his consent.
With regards to the protection of e-merchants, new exceptions to the withdrawal right will be established, mostly for hygiene purposes. E-merchants will also be able to hold consumers liable if the returned product has been overused. Finally, the e-merchants will not be held liable in case of loss or damage of products upon delivery, provided that the consumer chose his carrier.
What are the required updates for e-merchants?

• Amending general terms and conditions of sale in order to incorporate the changes in time limits and the new rules;
• Training and educating employees and partners on the new procedures, particularly on returns and refunds;
• Adjusting the order process to be in line with the new rules;
• Sending order confirmations containing all the required information on a durable medium which the consumer can store;
• Modifying the order button so it shows clearly the obligation to pay.

These measures form part of the EU’s fight for consumer protection. These measures are not limited to the regulation of e-commerce; they also provide for amendments in relation to litigation, with the introduction of class actions “à la française”.

Used as a marketing tool by economic operators, slogans are not only exploited in the real world but also in the digital world.

Protecting slogans over the Internet includes fighting against the use of third-party registered slogans in domain names. UDRP decisions show that assessing the likelihood of confusion in relation to slogans is similar to assessing such likelihood in relation to trademarks generally.

If a slogan has been registered as a trademark, the Panel will compare it with the domain name. On the other hand, if the slogan has not been registered as a trademark, then the existence of rights of a non-registered trademark (Common law rights) should be established. The applicant should establish an active use of the slogan, having created a link in the mind of the public between the slogan and its goods and services (D2005-0649 Ice House America, LLC v. Ice Igloo, Inc ; <icehouseamerica.com> and  <icehouseamerica.net>). It should be established in concreto at the time of registration of the disputed domain name (D2002-1117 Arthur Guinness Son & Co. Limited, Guinness Anchor Berhad v. Josh.com.my a.k.a. Josh Lim ).

Sometimes domain names reproduce slogans in their entirety. Thus, the domain name <foreversport.com> was found to be similar to the slogan “FOREVER SPORT” by Adidas (D2000-1148 Adidas International B.V. v. Kadana Holdings Pty Ltd).

Domain names may also reproduce only part of the relevant trademark, which is also the slogan of the complainant. This has been the case for the domain name <morgandetoi.mobi> where the complainant was the holder of a complex trademark that included the slogan “Morgan de Toi” (D2012-2117, C.C.V. Beaumanoir v. Zhihao Zheng).

A likelihood of confusion may also be established where only part of the slogan is reproduced in the domain name, provided that the distinctive components of the slogan are used. Thus a shoe manufacturer holding the trademark “Think!” and using the slogan “Shoes by Think” successfully obtained the transfer of the domain name <think-shoes.net> (D2007-1007 Marko Schuhfabrik GmbH v. Mercom Group).

Domain names may also reproduce the slogan in a slightly different manner without excluding the risk of confusion. In the case concerning the domain name <thisisadamking.com>, the Panel found that the complainant had non-registered trademark rights on its slogan “Who is Adam King” and that the replacement of “Who” by “This” did not exclude the risk of confusion since, on the contrary, “This” could be viewed as an answer to the question asked by the slogan (D2002-1117 Arthur Guinness Son & Co. Limited , Guinness Anchor Berhad c/ Josh.com.my a.k.a. Josh Lim).
Domain names may also reproduce the slogan in combination with other terms. For instance, if a domain name reproduces the trademark of the complainant and adds it to its own slogan, the likelihood of confusion is even greater (D2010-2126, Akbank Turk A.S.c/. Axess Yeterbana <axessyeterbana.com> – trademark Axess + slogan “Yeter bana”).

However, where a domain name includes a slogan associated with a negative term, the likelihood of confusion does not necessary arise. The Panels’ opinions  are divided with regards to domain names containing pejorative terms. Some refuse to recognize the existence of a likelihood of confusion in this case whilst others recognize it: it all depends on how one interprets the freedom of expression. Fighting against such domain names can therefore prove to be very difficult.

In this context, it is worth noting the decision regarding the domain names <mma-prejudice-moral-economique.com> and <mma-zero-tracas-publicite.com> rendered in favor of the insurer MMA in a way that was particularly favorable to rights holders (D2012-2136 MMA IARD c/ Eric François). The Panel noted a potentially confusing similarity on the grounds that, if had he found otherwise, this would “prevent right-owners from fighting many cases of cybersquatting”.

Finally, beyond the likelihood of confusion, the protection of slogans over the Internet also aims to prevent the exploitation of slogans by non-authorized third parties. It may include e.g. fighting against a misappropriation of the slogan on a third party’s website. The case D2004-0249 SEC SNC against Manakel Communication concerning the domain names <baton-de-berger.com> and <batondeberger.com> covered these two aspects. The domain names were identical to the complainant’s trademarks and were redirected to a pornographic website which displayed the slogan “There is no time for sucking it”, which is a misappropriation of the complainant’s slogan “There is no time for eating it.” The Panel based itself on the reproduction of the complainant’s trademarks to establish the likelihood of confusion and on the unjustified exploitation of the complainant’s slogan to establish the bad faith of the registrant.

Caution should therefore be exercised when acting against a domain name comprised of a slogan.

On February 5, 2014, the District Court of California ruled on a Legal Rights’ Objection (LRO) regarding the <.delmonte> gTLD (generic Top-Level Domain). The LRO was a protection awarded to trademark holders in ICANN’s New gTLD Program from June 2012 to March 2013. Trademark owners could file objections to new gTLD applications before the World Intellectual Property Organization (WIPO) to challenge the depositor’s rights to the gTLD.

Here, the court addressed a request to challenge a decision made by WIPO on the <.delmonte> in July 2013. The case involved two companies named Del Monte, a Delaware entity and its licensee, a Swiss company. The Swiss entity applied for the <.delmonte> gTLD as a license holder of the “DEL MONTE” trademark. However, the application was successfully contested by the Delaware entity by a LRO. In response, the Swiss company sued in US Federal Court to obtain the rights to the gTLD at issue and the Delaware company to give up its LRO.

The Swiss entity based its complaint on both the Anti-cybersquatting Consumer Protection Act (ACPA) and “reverse domain name hijacking”. Both of these claims involve domain names. The main question here is whether the claims can also apply to new gTLD applications.

Such a requirement begs the question of the new generic top-level domain’s registration. The court therefore questioned whether ICANN could be considered as a domain name registration authority. Texts and Case law diverge on the matter. In this case, ICANN was considered “much like a traditional domain name registrar” but the court’s analysis remained inconclusive for the new gTLDs.

It then turned to the registration and use of the new generic top-level domain. The court said that the <.delmonte> gTLD was never properly registered. Therefore, the ACPA’s requirement of “registration, trafficking or use” to constitute cybersquatting could not be asserted. As a result, the Delaware entity maintained the right it acquired with the LRO to the <.delmonte> gTLD.

This decision also highlights the fact that the ACPA was not written to take into account the new gTLDs. A reform of the Act should be considered to adapt it to ICANN’s new top-level domains.